Abstract: A system and method for conducting secure distributed network communications without using Secure Socket Layer. A frame having an embedded security applet is forwarded by the device to an external node on the network. The security applet prompts a user at the external node for login data. Once valid, login data is established, subsequent frames sent between the device and external node includes a blank form with an appended string of tagged and concatenated secure field values encrypted using a key derived from the login data.

Abstract: The present invention provides a method and system for performing operations on data using XML streams. An XML schema defines a limited set of operations that may be performed on data. These operations include addition, subtraction, multiplication and division. The operations are placed in an XML stream that conforms to the XML schema. The XML stream may perform one or more of the defined operations on the data. The limited set of operations allows data to be validated and processed without excessive overhead.

Abstract: An architecture for optimizing network communications that utilizes a device positioned at two edges of a constrained Wide Area Network (WAN) link. The device intercepts outgoing network packets and reroutes them to a proxy application. The proxy application uses multiple, preferably persistent connections with a network accelerator device at the other end of the persistent connection. The proxy applications transmit the intercepted data. Packet mangling may involve spoofing the connection request at each end node; a proxy-to-proxy communication protocol specifies a way to forward an original address, port, and original transport protocol information end to end. The packet mangling and proxy-to-proxy communication protocol assure network layer transparency.

Abstract: A method and system for inserting and examining encrypted identification information in the data streams of application level connections for the purpose of persistently directing application connections to the same destination. The invention enables a network device to direct subsequent application level connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the encrypted information to persistently direct application level connections. The associative mode inserts information that uniquely identifies the client into a response. The passive mode inserts information that uniquely identifies a previously selected destination into a response. In the rewrite mode, a network device manages the destination information that is rewritten over blank information generated by the destination producing the response.

Abstract: A method and apparatus for allocating access to a scarce resource. A load of each flow on the resource is calculated. The aggregate load is compared to a maximum steady state load. A drop policy is established responsive to the comparison. The drop policy is applied to the flows at an input interface of the device.

Abstract: Methods and systems are directed to dynamically mirroring a connection between network devices. Mirroring is managed by forwarding a packet between a first network device and a second network device. In one method, the first network device receives the packet from a client and communicates the packet to the second network device. A forwarding device, pre-determined from the first and second network devices, forwards the packet to a server. The first network device receives a response from the server, and communicates it to the second network device. The forwarding device forwards the response packet to the client. In one configuration, the first network device and forwarding device is an active device, and the second network device is a standby device. In another configuration, the first network device is a standby device, and the second network device and forwarding device is an active device.

Abstract: A system for distributing network traffic to multiple traffic management devices. A distributor receives each packet from a network and may act as a layer 2 switch, a router, or distribute the packet to one of a group of traffic management devices. The distributor may receive packets from servers that the traffic management devices are managing communications to. When distributing packets to traffic management devices, information such as source and destination addresses may be used to determine which traffic management device each packet should be sent to. The distributor causes packets that are part of a flow to be delivered to the same traffic management device.

Abstract: The invention provides for employing a complex data structure to optimize the retrieval of data from a data store over a network. The complex data structure includes two separate sub-data structures (Trie and List) that separately reference the same data objects in a data store. The complex data structure employs a functional interface to determine which data structure matches a particular function request for data. A Trie sub-data structure is used to fulfill a single data object request. The List sub-data structure is employed with function requests related to several data objects. Each data object is associated with a parent object that includes a list of every reference to the data object in both the Trie and List sub-data structures. When a data object is subsequently deleted, the parent object list is employed to automatically delete every reference to the deleted data object in both the Trie and List sub-data structures.

Abstract: An architecture for optimizing network communications that utilizes a device positioned at two edges of a constrained Wide Area Network (WAN) link. The device intercepts outgoing network packets and reroutes them to a proxy application. The proxy application uses persistent connections with a network accelerator device at the other end of the persistent connection. The proxy applications transmit the intercepted data after compressing it using a dictionary-based compression algorithm. Packet mangling may involve spoofing the connection request at each end node; a proxy-to-proxy communication protocol specifies a way to forward an original address, port, and original transport protocol information end to end. The packet mangling and proxy-to-proxy communication protocol assure network transparency.

Abstract: A method and system for authenticating and authorizing requesters interacting with content servers. A message including a request is forwarded from an upstream device and received by an intermediate device. The intermediate device authenticates the upstream device. Then, if the intermediate device is authorized to make decisions as to which sender may access the content server, the intermediate device determines whether the sender of the message has authority to access the content server as requested in the request. Otherwise, the message is forwarded towards the content server with an indication that the intermediate device authenticated the upstream device.

Abstract: A system and computer implementable method for updating content on servers coupled to a network. The method includes updating an origin server with a version of files used to provide content, retrieving data that indicates an action to be performed on one or more cache servers in conjunction with updating the origin server, and performing the action to update entries in the one or more cache servers. Each entry in each cache server is associated with a subset of the content on the origin server and may include an expiration field and/or a time to live field. An example of a subset of content to which a cache entry may be associated is a Web page. Cache servers are not required to poll origin servers to determine whether new content is available. Cache servers may be pre-populated using push or pull techniques.

Abstract: A method and system for distributing network traffic to multiple traffic management devices. A distributor receives each packet from a network and may act as a layer 2 switch, a router, or distribute the packet to one of a group of traffic management devices. The distributor may receive packets from servers that the traffic management devices are managing communications to. When distributing packets to traffic management devices, information such as source and destination addresses may be used to determine which traffic management device each packet should be sent to. The distributor causes packets that are part of a flow to be delivered to the same traffic management device.

Abstract: A compression system is arranged to use software and/or hardware accelerated compression techniques to increase compression speeds and enhance overall data throughput. A logic circuit is arranged to: receive a data stream from a flow control processor, buffer the data stream, select a hardware compressor (e.g., an ASIC), and forward the data to the selected hardware compressor. Each hardware compressor performs compression on the data (e.g., LZ77), and sends the compressed data back to the logic circuit. The logic circuit receives the compressed data, converts the data to another compressed format (e.g., GZIP), and forwards the converted and compressed data back to the flow control processor. History associated with the data stream can be stored in memory by the flow control processor, or in the logic circuit.

Abstract: Disclosed are methods and systems for providing persistence across multiple requests in a WAN load-balanced environment. More than one load balancing system may be used to provide persistence while load balancing. One method and system disclosed provides persistence by using modulus arithmetic to load balance requests. Another method and system disclosed provides persistence using topology information contained in the request. Another method and system disclosed provides persistence by storing connection information to refer a timely continuation request of a prior request to the same server the prior request was referred to. When more than one load balancing system is used with this method, the load balancing systems periodically exchange the stored connection information so that each load balancing system may provide persistence to repeat requests.

Abstract: A method and system for inserting and examining Cookies in the data streams of HTTP connections for the purpose of persistently directing HTTP connections to the same destination. The invention enables a network device to direct subsequent HTTP connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the Cookie to persistently direct HTTP connections. The associative mode inserts a Cookie that uniquely identifies the client into an HTTP response. The passive mode inserts Cookie information that uniquely identifies a previously selected destination into an HTTP response. In the rewrite mode, a network device manages the destination information that is rewritten over blank Cookie information generated by the destination producing the HTTP response. The insert mode inserts and removes Cookie information in the data packets for HTTP requests and responses prior to processing by the destination.

Abstract: A method and system for inserting and examining Cookies in the data streams of HTTP connections for the purpose of persistently directing HTTP connections to the same destination. The invention enables a network device to direct subsequent HTTP connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the Cookie to persistently direct HTTP connections. The associative mode inserts a Cookie that uniquely identifies the client into an HTTP response. The passive mode inserts Cookie information that uniquely identifies a previously selected destination into an HTTP response. In the rewrite mode, a network device manages the destination information that is rewritten over blank Cookie information generated by the destination producing the HTTP response. The insert mode inserts and removes Cookie information in the data packets for HTTP requests and responses prior to processing by the destination.

Abstract: An apparatus is related to connection management for a communications network. A control component receives a data flow requesting a resource from a client, identifies the client, and determines when the data flow is unassociated with a connection to a requested resource. The control component selects a new content server for an unassociated resource request when either the identified client was previously unknown or the identified client has exceeded a maximum number of connections with a previously selected content server. The control component selects the previously selected content server when the identified client has not exceeded the maximum number of connections. A switch component is employed to maintain a connection between the client and the selected content server such that the client receives the requested resource. Utilizing cached connection information for up to “N” connections enhances the speed of connections between the client and the selected content server.

Abstract: A method and system for managing the replication and version synchronization of updates to a set of source files on geographically distributed heterogeneous content servers with minimal impact on a network's bandwidth. The configuration of each content server is either manually entered or automatically determined. The current version of the source files are created on at least one source server. A Primary global server stores a copy of the current version of the set of the source files along with the configuration of each content server. The Primary global server generates and distributes a particular version change container and version distribution list to each remotely located Secondary global server. Each Secondary global server employs the version distribution list and the contents of the version change container to identify the current version of each source file necessary to upgrade the set of source files on each local content server.

Abstract: A method and system for inserting and examining Cookies in the data streams of HTTP connections for the purpose of persistently directing HTTP connections to the same destination. The present invention enables a network transmission device, e.g., a router or controller, to reliably and efficiently direct subsequent HTTP connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the Cookie to persistently direct HTTP connections. The associative mode inserts a Cookie into an HTTP response that uniquely identifies the client so that when a client's subsequent HTTP request is compared to a table, the HTTP request will be routed to a previously selected destination associated with the client.

Abstract: A method and system for inserting and examining Cookies in the data streams of HTTP connections for the purpose of persistently directing HTTP connections to the same destination. The invention enables a network device to direct subsequent HTTP connections from the same client to the same server (destination) for accessing the requested resources. There are four modes for employing the Cookie to persistently direct HTTP connections. The associative mode inserts a Cookie that uniquely identifies the client into an HTTP response. The passive mode inserts Cookie information that uniquely identifies a previously selected destination into an HTTP response. In the rewrite mode, a network device manages the destination information that is rewritten over blank Cookie information generated by the destination producing the HTTP response. The insert mode inserts and removes Cookie information in the data packets for HTTP requests and responses prior to processing by the destination.